pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian
Web server: Nginx
Summary
Error occures with SAML flow.
Portal1 is SP. Portal2 is IdP.
Portal1 cookie is SECURE, HTTP only and SameSite=Strict or Lax
Flow :
Portal1/manager -> redirect Portal1 -> Select Portal2 -> redirect Portal2 -> Login -> redirect Portal1 -> redirect Portal1/manager => OK
Try to go to Portal1 => ALWAYS redirect to Portal1/manager (pdata NOT removed => SameSite=Strict or Lax)
From SP Manager, clic on Logout => 500 Internal server error
Set SP Cookie SameSite value to None => all works fine!
Logs
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] VH portal1 is HTTPS
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Get session bef8368b05f861668d8c97539b8ce025a4237d6282e4c094590305f247b983ef from Handler internal cache
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] No URL authentication level found...
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] portal1: Apply default rule
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] removing cookie
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Cookies -> rxVisitor=1594286362883RUCNHM78RQP465OKD8A2RMMTB1G5HBFF; lemonldappdata=%7B%22_url%22%3A%22aHR0cHM6Ly9tYW5hZ2VyLnBwc3NvLnBzaS5taW5pbnQuZnIv%22%7D; llnglanguage=fr; lemonldap=bef8368b05f861668d8c97539b8ce025a4237d6282e4c094590305f247b983ef
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] CookieName -> lemonldap
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] newCookies -> rxVisitor=1594286362883RUCNHM78RQP465OKD8A2RMMTB1G5HBFF; lemonldappdata=%7B%22_url%22%3A%22aHR0cHM6Ly9tYW5hZ2VyLnBwc3NvLnBzaS5taW5pbnQuZnIv%22%7D; llnglanguage=fr;
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] User XXXXX@GN was granted to access to /?logout=1
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Start routing default route
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Processing importHandlerData
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Processing controlUrl
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Required URL (param: HTTP Referer | value: | alias: http://)
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Processing checkLogout
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Processing code ref
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Launching ::Issuer::SAML::logout
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] No SAML session found for session bef8368b05f861668d8c97539b8ce025a4237d6282e4c094590305f247b983ef
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] No SAML session available into this session
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Processing authLogout
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] No SAML session found for session bef8368b05f861668d8c97539b8ce025a4237d6282e4c094590305f247b983ef
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Use method POST with IDP Proxyma for SLO profile
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Loading Session dump: <Session xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2">
<NidAndSessionIndex ProviderID="https://portal2/saml/metadata" AssertionID="_38EF7989B897E79653F72DF3AE2BCE00" SessionIndex="58ef9cf2b8245fa5a77b06b2d14f6767bf2a21998d9537e9c27343ed921c51bf">
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">christophe.maudoux</saml:NameID>
</NidAndSessionIndex>
</Session>
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Set 0dcc041aaff0be42c7e5c2dab6729c2fc7340aaadfd9164af2660ce64655c8a0 in RelayState
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] SLO request will be signed
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Logout request created
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Keep request ID _35AAF26AC29FECA8431617618176A287 in assertion session aae31df2b67b8504cdb3be99895ab414fca88bd7cd399e4454b75ead8ccefe96
[Mon Aug 10 17:48:43 2020] [LLNG:29731] [debug] Redirect user to https://portal2/saml/singleLogout using autoPost
Mon Aug 10 17:48:43 2020 - [uwsgi-perl error] Can't locate object method "postFields" via package "Lemonldap::NG::Portal::Auth::SAML" at /usr/share/perl5/Lemonldap/NG/Portal/Auth/SAML.pm line 1384.
[pid: 29731|app: 0|req: 12/17] 192.168.40.150 () {54 vars in 1133 bytes} [Mon Aug 10 17:48:43 2020] GET /?logout=1 => generated 21 bytes in 144 msecs (HTTP/1.1 500) 2 headers in 83 bytes (0 switches on core 0)
Log with pdata SameSite=none
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] User XXXX@GN was granted to access to /?logout=1
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Start routing default route
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing importHandlerData
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing controlUrl
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing checkLogout
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing code ref
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Launching ::Issuer::SAML::logout
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] No SAML session found for session 3d80210bcd3ff9420bc1988c5df20ff2238bca653bffc50d05d3b79b70a4e8fd
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] No SAML session available into this session
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing authLogout
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Retrieve SAML session 67c84d3cb326ad28249c695fed40a0b289d1cd83890fcd0e132b44f78bf03e2b
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] SAML session 67c84d3cb326ad28249c695fed40a0b289d1cd83890fcd0e132b44f78bf03e2b deleted
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Use method POST with IDP Proxyma for SLO profile
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Loading Session dump: <Session xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2">
<NidAndSessionIndex ProviderID="https://portal2/saml/metadata" AssertionID="_E54C8C4B7F9B54D31D39ADC77B026FA0" SessionIndex="3b9dffa3141717d4306ac779491ca86f91fb9f023ae11d900629739fcf88a786">
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">christophe.maudoux</saml:NameID>
</NidAndSessionIndex>
</Session>
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] SLO request will be signed
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Logout request created
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Keep request ID _C3B5E373F89DF366D12CEF58637D1ECF in assertion session b5c2387093c4f1d10b93185b85fff56a2c2f95e9dd7ace4388e3e68399a20794
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Redirect user to https://portal2/saml/singleLogout using autoPost
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Cleaning pdata
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Processing deleteSession
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Try to get SSO session 3d80210bcd3ff9420bc1988c5df20ff2238bca653bffc50d05d3b79b70a4e8fd
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Get session 3d80210bcd3ff9420bc1988c5df20ff2238bca653bffc50d05d3b79b70a4e8fd from Portal::Main::Run
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Return SSO session 3d80210bcd3ff9420bc1988c5df20ff2238bca653bffc50d05d3b79b70a4e8fd
[Mon Aug 10 17:59:36 2020] [LLNG:28367] [debug] Local handler logout
[Mon Aug 10 17:59:37 2020] [LLNG:28367] [notice] User XXXX@GN has been disconnected from SAML (192.168.C.D)
[Mon Aug 10 17:59:37 2020] [LLNG:28367] [debug] [notice] User XXXXXX@GN has been disconnected from SAML (192.168.C.D)
[Mon Aug 10 17:59:37 2020] [LLNG:28367] [debug] Session 3d80210bcd3ff9420bc1988c5df20ff2238bca653bffc50d05d3b79b70a4e8fd deleted from global storage
[Mon Aug 10 17:59:37 2020] [LLNG:28367] [debug] Processing autoPost
[Mon Aug 10 17:59:37 2020] [LLNG:28367] [debug] Delete all hidden values
Possible fixes
Always set pdata cookie SameSite value to None?